13th August 2018 - VORACLE Exploit

We’ve seen recent reporting that implies PIA is vulnerable to the ‘VORACLE’ exploit. From our internal investigation, we are not vulnerable as compression is not enabled on the Private Internet Access service.

Compression was disabled on the 26th December 2014 within the server configuration which supersedes the local configuration and will overrule potential settings presented by the configuration file.

This prevents the VORACLE exploit from occurring as according to the researcher’s slides and results, compression must be enabled for the attack to be used against a VPN service.

To confirm that compression was disabled from the server-side, we checked the configuration settings from the OpenVPN command line (with verb 4 enabled) to show the exact push statement disabling it:

We also confirmed that our Mobile platforms (Android and iOS) are also superseded by the server configuration and do not allow compression.

We are in contact with the researcher and will keep you updated if we see any evidence to the contrary. Additionally, we will endeavour to make sure any such reporting around this in relation to Private Internet Access is correct. For clarity;

“The list of VPN providers on my slides were just to help the audience understand the kind of vpns that the talk was dealing with. Not that all of those vpns were vulnerable. In fact, there are many VPN providers using OpenVpn and they could have this. This is why I worked with the OpenVPN team directly. Their usage [guidelines] now clearly talk about the security issues when compression is enabled."

- Ahamed Nafeez

As always, we would like to thank the researcher, and all security researchers, for helping expose issues in security software and making end users safer.

Private Internet Access is the leading VPN Service provider specializing in secure, encrypted VPN tunnels which create several layers of privacy and security providing you safety on the internet. Our service is backed by multiple gateways worldwide with access in 30+ countries, 50+ regions.